Mad Max Coming to an Electric Grid Near You?

mad_maxby James A. Bacon

Two years ago Iranian hackers infiltrated the control system of the Bowman Avenue Dam, a small structure used for flood control in Rye, N.Y., about 20 miles from New York City. The hackers never took control of the dam, and no damage was done, but U.S. officials say the incident highlighted the vulnerability of a sprawling U.S. infrastructure of dams, pipelines, drawbridges and electric transmission lines, according to the Wall Street Journal.

The timing of that story couldn’t be better for Ted Koppel, author of the newly published book, “Lights Out: a Cyberattack, a Nation Unprepared, and Surviving the Aftermath.”

Koppel’s terrifying thesis is simply stated in a series of propositions:

  1. Russia and China most likely have already infiltrated our electric grid, Iran is striving to do so, and terrorist organizations aspire to do so.
  2. While the electric power industry maintains that the electric grid is resilient enough to avoid catastrophic blackouts, a growing chorus of national security experts argue that the grid is vulnerable to cyber-sabotage. While parts of the system may be secure, no chain is stronger than its weakest link, and there are lots of weak links.
  3. Cyber-sabotage could lead to system-wide blackout in any or all of North America’s three grids (eastern, western and Texas) that could take months to repair. Neither the federal nor state governments are remotely prepared to respond to a disaster of this magnitude.
  4. Contemporary American society is so totally dependent upon electricity that the country would face economic collapse, civil unrest and mass starvation. Think Mad Max. Mortality rates could run as high as 90%.
  5. The Mormons will inherit the earth — or at least North America. The Mormon Church appears to be the only organized entity in the country to have stockpiled sufficient supplies of food and survival tools to survive a year-long “lights out” scenario.

While Koppel quotes a host of experts in government and the private sector who worry about U.S. vulnerability to cyber-attack, it is worth bearing in mind that consultants and government officials thrive on alarm. The more agitated the public is about the cyber-security threat, the greater the funds that will be thrown their way. I take their warnings with a grain of salt.

Still, the revelation of the Bowman Avenue Dam incident drives home one of Koppel’s main points: that Iran has been actively probing our grid. Maybe his thesis isn’t so alarmist after all.

The United States made a strategic decision years ago to prioritize cyber-offense over cyber-defense. Supposedly, we have the best cyber warriors in the world, and we can take down the infrastructure of any advanced society. Russia and China might be able to knock out our electric grid, but we could knock out their’s. We’re locked in a Mutually Assured Destruction scenario. But Iran? Who can predict the actions of a country ruled by mullahs in the grip of an end-of-times eschatology? If the enemy thinks that the mahdi is coming with the power of god to purge the world of evil and presage the day of judgment, Mutually Assured Destruction may not be much of a deterrence.

Whether you think the odds are 50-50 that catastrophic blackouts could occur, or one in ten, or one in a hundred, the potential consequences are every bit as cataclysmic as those of runaway climate change. But the issue hasn’t gotten a sliver of the attention that climate change has. As the nation embarks upon a massive re-engineering of the electric grid under the Clean Power Plan to reduce carbon-dioxide emissions, will the grid be more secure or less secure from cyber-assault as a result? Is anyone even asking that question?

So, what are we doing here in Virginia?

AEP, parent company of Appalachian Power Company, details its cyber-security initiatives here. The company works within the framework established by the North American Electric Reliability Council (NERC) to protect grid reliability, including the Critical Infrastructure Protection cybersecurity standards to be rolled out in 2016, and it participates in a variety of industry-government groups that share information.

Last month, AEP participated in the GridEx III exercise, sponsored by NERC, which brought together more than 200 organizations across North America. GridEx, the company says, “is the largest, most comprehensive effort addressing security by the electricity industry to date and serves as an example of the commitment of stakeholders to continuously improve physical security and cybersecurity defenses.” Findings from the exercise, which simulated cyberattacks in coordination with physical attacks, combined with trucks and shootings to create enduring damage, will be released in January.

Dominion’s web page on cyber-security states that the company continually monitors and periodically audits its operations. “Dominion cyber security experts regularly communicate with government agencies, law enforcement and intelligence organizations and industry peers to assess threats and align the company’s security posture with regulatory requirements and evolving digital technologies.”

In April, Governor Terry McAuliffe announced that Virginia was the first state to set up an Information Sharing and Analysis Organization, or ISAO, “a collaboration that is designed to facilitate the collection and analysis of critical infrastructure information in order to help stakeholders better understand and combat security risks.”

However, Koppel quotes General Keith Alexander, retired director of the National Security Agency (NSA) and now CEO of IronNet Cybersecurity, as saying that the electric grid is more vulnerable than it used to be. New interconnections create new pathways for cyber attacks to travel.

“Your small and medium-sized companies cannot afford a world-class cyber threat team,” he told Koppel. Bringing down small companies in the right order could initiate a domino-like “cascade effect” which could compromise the systems of the larger companies, threatening the entire network.

There are currently no comments highlighted.

7 responses to “Mad Max Coming to an Electric Grid Near You?

  1. I’m not sure if and how this applies to the electric grid per se. Back in the 1990s, I was involved for my then employer with the FCC’s Network Advisory Committee – an federal advisory committee governed by FACA. Federal and state regulators, along with the industry, worked to develop a set of best practices to protect the North American telecom network. Later, its charge was amended to include best practices for interconnecting carriers in an effective and secure manner.

    One of the key findings and source of best practices was the need for diversity in routing calls. For example, the best practices urge 911 call answering points (PSAPs) to be connected to at least two central office switches. Likewise, the best practices call for connecting key parts of the network by at least two separate cables. Of course, all this costs more. I would creating some level of redundancy in electric distribution plant would improve security and reliability.

  2. those who maintain computer networks know that one of the most important things is called “logging”.

    and right next to it – is keeping your patches up to date….

    finally – there’s an excellent piece of software called Tripwire – that lets you know what system files have been changed, when and who.

    the problem with govt and corporations is they waited a long time to figure out just how important the confuration and maintenance of computer systems is … and were content to rely on jack leg types who were “good” at computers rather than seeing it as a professional engineering discipline.

    so , folks would be shocked at who is maintaining computer systems these days in terms of their skills… and understanding of how to properly secure a system… especially since many like the “free” Linux software…

    today -your life depends on computer systems… from traffic signals to that xray you get and folks who don’t take them seriously are in for a rude awakening.

    but no – I do not think the govt is “alarming” us – I think today the govt is getting blamed for “not protecting us” but I guess it depends on your political lens, eh?

  3. Ted Koppel has some weird ideas — in his interview with Charlie Rose about this book, he got off on a long discussion of how he maintains a couple of years of survivalist supplies on hand to last him and his family through any emergency.

    But the point of his latest book is dead right. Over the past 20 years, and particularly in the wake of the last huge blackout in 2003, the FERC has conducted a series of rulemakings and investigations about grid security in the electric utility industry, and all the larger utilities I am aware of treat these concerns VERY seriously, at the Sr VP officer level in most. Unfortunately Koppel’s discussion with General Alexander is correct: the widespread use of (consumer and industry) devices today that communicate via the grid itself creates a vulnerability that is far greater than 1970s-era transmission equipment controlled externally, if at all, through isolated telephone lines and people operating stand-alone mechanical switches.

    The fact is, high voltage electric transmission systems must respond to a host of error signals in fractions of a second. Problems cascade across States, let alone utilities, in time frames that are too fast for human response; it all has to be pre-programmed. And, guess what, those programs, those trigger conditions and responses, are on computers! And those computers talk to each other! What to do? Obviously there’s encryption; but to set up an isolated, single-owner encrypted system is one thing; to have an encrypted system that communicates with all the other systems out there on the Grid means that they must share encryption keys, or have shared communication channels that bypass the encryption. As the book explains in great, gory detail, the way into an encrypted system is through its weakest components — in this case, it’s through the little municipality with no IT budget and a small flood-control dam with a communications alarm signal that’s rarely important but, if it signals a dam break, is very important, so it’s linked to the bigger grid, so if you can hack your way into the dam’s controls, you have a pathway into the grid!

    Read Ted Koppel’s book and stay awake at night thinking about it. You will have company.

  4. Jim, you say, “Cyber-sabotage could lead to system-wide blackout in any or all of North America’s three grids (eastern, western and Texas) that could take months to prepare. Neither the federal nor state governments are remotely prepared to respond to a disaster of this magnitude.” I believe you meant “repair” not “prepare.” In any case, “months to repair” is what it could (and probably would) be — as discussed in Koppel’s book.

  5. Is it not remarkable how we argue endlessly about nonsense and refuse to see or talk about the horrible threats in front of our noses. Most all our leaders do the same. Some things never change. Pearl Harbor was said to be a shock and surprise. It was, but for those willing to see. Some saw it ten years before. A whole bunch saw it coming months before. Most all did nothing. Those very few who did something got punished or shunned, some for many years.

  6. the thing is – if you’re going to use a public computer network to coordinate the grid – you have to set up security to do it. There is nothing magical about the internet and how to do good security is a known discipline but it does take real professionals just like if you have a physical site like power plant -you have to set up physical security. It takes professionals to design it and it costs money and time to set it up – and maintain it.

    the same thing has to be done for computer networks including firewalls and more.

    they may well need to consider a separate network from the internet like the military has done and that network might well also be the basis for a true Smart Grid.

    but no matter what is done – a logging capability must be built-in with no ability to get rid of or modify it.

    such a log automatically captures every access to the system and what changes were made during that access -friend or foe.

    this kind of work is needed and is a good job for any kid that that can get a good core academic education -that includes not only reading – but math and technology. These are the jobs for the 21st century that any child whether in NoVa or SW Va can successfully get – if they have access to a solid 21st century education.

    I don’t see armageddon – I see opportunity …

Leave a Reply